What Precedent Does This Set?
Hackers’ tactics are getting more sophisticated, and organizations are becoming challenging to keep up with. The threat further compounds as cybercriminals collaborate their efforts and receive backing from influential groups.
Maintaining a solid cybersecurity posture is difficult even if your company hires experts to monitor data security and confidentiality.
One of the biggest tasks for CSOs (Chief Security Officers) and other professionals is ransomware. While security professionals respond differently to a ransomware hit, the wrong approach could end up in ugly legal battles for the CSO. That happened to the former Uber CSO, Joe Sullivan, in 2016.
On Oct 5th, 2022, a federal jury found Uber’s former CSO guilty of obstructing justice and covering a felony for his role in responding to the 2016 data breach. The data breach compromised approximately 57 million personal records of Uber passengers and drivers.
According to the New York Times, hackers sent Sullivan a notice informing him of the data breach. They proceeded to demand a ransom, failure of which they would release the information on Uber riders and drivers to the dark web and the public.
To avoid drawing the attention of the Federal Trade Commission (FTC) on the matter, Sullivan, the then-CSO, reached out to Uber’s in-house legal team and CEO and notified them about the notice. The three parties agreed to negotiate with the hackers to delete the breached data and keep quiet about the matter.
Uber’s CEO at that time, Travis Kalanick, agreed that the company should proceed to negotiate with the criminals. The negotiation demanded the hackers sign a non-disclosure agreement (NDA) stating that they won’t disclose that they breached Uber’s network and stole data.
The negotiation further dictated that the hacker should destroy the data they exfiltrated — as if hackers always keep their word. In return, Uber would pay the hackers $100,000 in BTC and disguise it as an award for their “bug bounty” program.
A year after the cover-up, Uber fired Kalanick for unrelated issues and settled for Dara Khosrowshahi as the new CEO. When Khosrowshahi learned what happened, he fired Sullivan, notified the Federal Trade Commission (FTC), and assisted a U.S. attorney in building a case against Sullivan.
The new Uber CEO could have kept the information to himself, but he wanted to do things differently under his leadership. Consequently, Uber paid fines of up to $148 million for failing to disclose the data breach on time.
The U.S. Attorney’s Office charged Sullivan with obstruction of justice for failure to notify the government about the breach. However, such a failure is not a federal offense, so the jury charged him with two violations:
The law insisted that the former Uber CSO corruptly influenced the obstruction of proper administration of the law. On a misprision charge, the jury found Sullivan guilty of actively concealing a felony.
The work of a CSO or any security professional is challenging. CSOs are constantly pressured to keep their company up-to-date with rapidly increasing cybersecurity trends and threats.
However, the Sullivan guilty sentence adds another complex layer to the position of a Chief Security Officer. This means CSOs must be aware they can be personally held liable for their organizations’ decisions.
As the facts clarify, the former CSO notified the CEO and the internal legal team about the ransomware attack when it happened in 2016. All three parties agreed that negotiation would be the best approach. He went ahead with the plan, but six years later, he was the only one convicted for obstruction of justice.
Will the law approach all data breach cases like this? Many will argue no. However, while the incident is worth making note of, the case is unique because the former Uber CSO actively tried to hide the breach from regulatory bodies and officials. He failed to tell the government that hackers stole data from Uber’s network.
While the law discourages ransom payment, the tactic is common in many organizations — especially those with cybersecurity insurance policies that cover such attacks.
While the FBI discourages ransomware negotiation, it states that it won’t pursue businesses that negotiate and make payments to release their data from hackers. However, the hacker must not be involved with prohibited criminal groups — especially those with heavy Russian influence.
Despite the risk of paying ransomware demands, there are circumstances where you cannot automatically rule out the option. Such scenarios include when:
There isn’t a straightforward answer to whether a business should pay a ransom when hit by ransomware. However, you must notify the proper regulatory bodies and authorities of the incident on time to avoid being in Sullivan’s position. After all, hiding a ransomware incident is nearly impossible, but lies and excuses won’t build goodwill with regulators and the client base.